Eoin Keary Code review Lead Irish Chapter Lead OWASP Code Review Eoin Keary Code review Lead Irish Chapter Lead

Agenda What is the Code review guide? Secure Code Review (who cares?) Sister Projects

The Code review guide – What is it? Most comprehensive open source secure code review on the web One of the “OWASP Trinity” of guides Available in WIKI, Free Download, “Real Book” Is 3 years old, but never finished Contributors from across the globe #3 on the “OWASP best-seller list” (Yippee)

Guide 2008 (v1.1) Contents Foreword by Jeff Williams, OWASP Chair Welcome to the OWASP Code Review Guide 1.1 About The Open Web Application Security Project Code Review Guide History Introduction Preparation Security Code Review in the SDLC Security Code Review Coverage Application Threat Modeling Code Review Metrics Crawling code Searching for code in J2EE/Java Searching for code in Classic ASP Code review and PCI DSS Reviewing by technical control: Authentication Reviewing by technical control: Authorization Reviewing by technical control: Session Management Reviewing by technical control: Input Validation Reviewing by technical control: Error Handling Reviewing by technical control Secure application deployment Reviewing by technical control Cryptographic controls Reviewing Code for Buffer Overruns and Overflows Reviewing Code for OS Injection Reviewing Code for SQL Injection Reviewing Code for Data Validation Reviewing Code for Cross-site scripting Reviewing code for Cross-Site Request Forgery issues Reviewing Code for Logging Issues Reviewing Code for Session Integrity issues Reviewing Code for Race Conditions Additional security considerations: Java gotchas Java leading security practice Classic ASP Design Mistakes PHP Security Leading Practice Strings and Integers Reviewing MySQL Security Reviewing Flash Applications Reviewing Web services How to write an application code review finding Automated Code revieW Tool Deployment Model The Owasp Orizon Framework The Owasp Code Review Top 9 Guide References Guide V1.1 - 214 Pages (66% bigger!!) Guide V1.0 – 143 Pages

Sustainable Environment BIOMIMICRY – Nature's Manufacturing Genius Applied to Industry / Engineering Sustainable engineering model Evolution of systems: Robust/Strong DNA (Code) of a solution assures stability in the cyber environment. Think Darwin, survival of the fittest Organisms built correctly ensure stability and evolution. Penetrate and Patch model does not adhere to the natural order, what we currently do….

Secure Code Review - What it is : What it isn't: Examination of developed source code for quality. Security = Quality Robust & Stable code More Expensive Can be more Accurate Requires unique skill set to do properly What it isn't: Silver Bullet Replacement for other security controls Replacement for poor application development Easy Cheap (Not Manual anyways)

Can we Automate Code review: Automate = Good Can we Automate Code review: Yes!! (Its cheaper to do) Higher Through-put, quicker return But is it like a Web Application firewall in the case of runtime protection? Limited protection, Catch many types of issues, but not all?

Catches attack Vectors very well Web Application Firewall (WAF) Catches attack Vectors very well Protects against SQL Injection, XSS, OS Injection, CLRF, DoS, Dir traversal, etc Not great against: Business Logic Flaws, CSRF attacks, Session Management issues/Hijacking…….

A fool with a tool, is still a fool”…..? Automated Review A fool with a tool, is still a fool”…..?

Example: CSRF Protection Cross-Site Request Forgery (CSRF) – causing an unsuspecting user’s browser to send requests they didn’t intend. (Funds Transfer, Form submission etc..) Preferably an authenticated user (Banking, Ticket purchase). Without them knowing about it? Can an automated scanner understand context here?: Line 1 String actionType = Request.getParameter("Action"); 2 If (actionType.equalsIgnoreCase("BuyStuff"){ 3 Response.add("Please enter your password"); 4 return Response; 5 }

Jeremiah Grossmann/Arian Evans – BH 08 New Layer of attacks: Workflow disruption & Hijacking Legal Cyber attacks Booking systems Transactional systems Security Code review & application threat modelling required to identify weakness Artificial Scarcity DoS – WhiteHat 1. Select a flight 2. Agree to the terms and conditions 3. Provide your personal details 4. Select seat *Seat is reserved and no user may select it for a variable amount of time - few minutes to several hours 5. Enter payment information (Don’t submit obviously) 6. Repeat and automate for every seat on the flight Jeremiah Grossmann/Arian Evans – BH 08

OWASP Code review tools Code Crawler: Alessio Marziali Paulo Prego Orizon Framework

Deployment models Developer adoption model Testing Department model Deploy automated tools to developers Control tool rule base Security review results and probe a little further. Testing Department model Test department include automated review in functional test. Application security group model All code goes through application security group Group use manual and automated solutions

OWASP Code Review Guide 2.0 – 2009 Help Required OWASP Code Review Guide 2.0 – 2009 New Ideas approaches welcomed Want to do more integration with tools